Users who identify and report serious security vulnerabilities involving Mozilla are to be rewarded for finding bugs in the open source Web browser software.
The Mozilla Security Bug Bounty Program, launched yesterday, promises a reward of $500 to anyone who finds a "critical" security bug in Mozilla. What constitutes critical will be judged by the Mozilla Foundation staff. Linux software developer Linspire and Mark entrepreneur Shuttleworth have issued seed funding to support the initiative, to be supplemented by donations from Mozilla supporters. The first $5,000 in community contributions will be matched dollar-for-dollar by Shuttleworth.
Mozilla already has a good record of promptly fixing any security problems that arise. The Mozilla Security Bug Bounty Program seeks to further encourage the community's focus on security consciousness and responsiveness. The level of reward has been pitched quite low - if somebody found an exploit they'd doubtless make more money via security firm iDefense's controversial vulnerability contributor program - but that's not really the point. The Mozilla program is probably best viewed as a symbolic gesture of thanks to those who take the trouble to find and report bugs than as a way of providing a financial incentive to expand the number of people looking for problems involving Mozilla.
"This program reflects our commitment to protecting consumers from malicious actors," said Mitchell Baker, President of the Mozilla Foundation. "Recent events illustrate the need for this type of commitment. While no software is immune from security vulnerabilities, bugs in open source projects are often identified and fixed more quickly. The Security Bug Bounty Program will help us unearth security issues earlier, allowing our supporters to provide us with a head start on correcting vulnerabilities before they are exploited by malicious hackers [crackers]."
Users who identify security bugs in Mozilla software are encouraged to go to Mozilla.org/security, which links to more information about which flaws are eligible and how to claim the bounty. ®
Mozilla takes bite out of IE
Mozilla bug rears its head
CERT recommends anything but IE
Long-awaited IE patch (finally) arrives
MS posts $250,000 MyDoom worm bounty
MS' anti-virus bounty success
Computer Security: a handbook for the ordinary user (book review)